Let Hackers in and Shine a Spotlight on Them – How Karamba’s ThreatHive works

Aviv Sinai, Karamba R&D engineer | May 22nd, 2019

Imagine a home security system that lets burglars in through the front door - and records their every move. Now you have an idea of what Karamba is doing with ThreatHive.

Take a moment to think like a burglar.

On your typical workday you’ll find all types of security systems to work around. Some houses have high walls and motion-detectors hooked up to cameras, some have a dog and a well-armed owner, and some just leave the door unlocked and all the valuables lying out in plain view.

Now picture a house that lures you in and lets you take your time. Meanwhile, the security system is recording all your moves, seeing how you got in, where you go once you’re inside the house, and what you’re looking to steal.

And there’s one other big difference – the house is a decoy and the real prey is you. You are under the spotlight and all your actions are shared publicly so that other homeowners will know how to keep you out.

Now you’ve got an idea of how Karamba’s ThreatHive system works.

I’ve been a research and development engineer at Karamba Security for the past two and a half years. My job is to look for ways that systems can be compromised, where their security is working, and where it leaves a lot to be desired.

For well over a year I’ve been a part of the team operating tests on ThreatHive, a key component in Karamba’s portfolio of security solutions.

ThreatHive acts like an online honeypot and lures in attackers, while differentiating between datacenter and mobile cyberattacks and ones directed at automotive systems.

How’s it work?

ThreatHive is comprised of online servers with public IP addresses, which give hackers and anybody else the possibility to access them. In this case, the machines are shielded decoys of automotive Electronic Control Units (ECUs), just like the ones used by our customers.

By staking out the decoy, our customers and us see which parts of the ECU attackers are trying to hack and where the manufacturer needs extra protection.

We try to make the decoy look as authentic as possible - we’re not opening all the ports or hanging up a virtual flashing neon sign that the ECU is “open for business.”

ThreatHive is unique in the world of cybersecurity. Most honeypot systems are domain-based; they’re trying to find someone entering the system so they can shut it down before any damage is done. On the other hand, we let them knock on the door, break the glass, come down through the chimney, all of it. Once they’re inside we’re not giving them real information about the ECU, rather, we’re putting them into a container of sorts where we can see what makes them tick.

Already in our research we’ve discovered that the average automotive ECU is subject to more than 300,000 attacks each month.

It’s a rough neighborhood, but with Karamba ThreatHive we have the ability to put hackers on candid camera and collect detailed data that can be crucial for our clients during the development of autonomous and connected vehicles.

Read more

Continue the conversation!

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA



Landstr. 264, Munich
Tel: +49 892 1547 7583